dd7b3526a55859be31413818b1f2f2d5a66484c0709e1a43e3025731f64a3eba

General

Target

00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe
Size

895KB
MD5

00a65fcd55df9360f3b4ab1472db51f0
SHA1

29211bea1110f55505100b08c5c65cc102b35d1a
SHA256

dd7b3526a55859be31413818b1f2f2d5a66484c0709e1a43e3025731f64a3eba
SHA512

9d0c906ac496ccb9aeda6012c14f98c496d83b8cdfd19de3f73b54077e9c371dff5af0ca25a341108bfbf757e71f3765e8bf2ef5d1b05d3c8b70815c6e1465f8
SSDEEP

6144:+uj8NDF3OR9/Qe2HdJ8RAe6xV/nhDvyHOc:hOF3ORK3d7e6xV/hD6Hd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	casino_extensions.exe
2380	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
1704	casino_extensions.exe
1704	casino_extensions.exe
2372	casino_extensions.exe
2372	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2380	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2220	00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1704	2220	00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe	28
PID 2220 wrote to memory of 1704	2220	00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe	28
PID 2220 wrote to memory of 1704	2220	00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe	28
PID 2220 wrote to memory of 1704	2220	00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe	28
PID 1704 wrote to memory of 2328	1704	casino_extensions.exe	29
PID 1704 wrote to memory of 2328	1704	casino_extensions.exe	29
PID 1704 wrote to memory of 2328	1704	casino_extensions.exe	29
PID 1704 wrote to memory of 2328	1704	casino_extensions.exe	29
PID 2328 wrote to memory of 2372	2328	casino_extensions.exe	30
PID 2328 wrote to memory of 2372	2328	casino_extensions.exe	30
PID 2328 wrote to memory of 2372	2328	casino_extensions.exe	30
PID 2328 wrote to memory of 2372	2328	casino_extensions.exe	30
PID 2372 wrote to memory of 2380	2372	casino_extensions.exe	31
PID 2372 wrote to memory of 2380	2372	casino_extensions.exe	31
PID 2372 wrote to memory of 2380	2372	casino_extensions.exe	31
PID 2372 wrote to memory of 2380	2372	casino_extensions.exe	31
PID 2380 wrote to memory of 2672	2380	LiveMessageCenter.exe	32
PID 2380 wrote to memory of 2672	2380	LiveMessageCenter.exe	32
PID 2380 wrote to memory of 2672	2380	LiveMessageCenter.exe	32
PID 2380 wrote to memory of 2672	2380	LiveMessageCenter.exe	32
PID 2672 wrote to memory of 2676	2672	casino_extensions.exe	33
PID 2672 wrote to memory of 2676	2672	casino_extensions.exe	33
PID 2672 wrote to memory of 2676	2672	casino_extensions.exe	33
PID 2672 wrote to memory of 2676	2672	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        7⤵
        Deletes itself
        
        PID:2676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
903KB

MD5
a93151873d122bd0524682f54c82679d

SHA1
bba083e1ef0b7ddd73d68343c6a0c52c1f74346d

SHA256
2fea07cf75f61710bcf3928cd585a179ae661221cb65647c8eb0f2eff0280ac5

SHA512
a7424fe42135004112058c65bda4eb6e58a0f44063dbe1cc5c9e08bbfbf25ad07bc25611bd5058c1add608788a4b3cee997bbac04ae6e24b93f26acf084f6625

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
909KB

MD5
76f38bf7e317e87d959850dd63786dbc

SHA1
4e3dc9f4f898cd4a8f7465548ef98fdde6b4220e

SHA256
c3140ff98f6d29a47ce017a953628ee197f78584421753ab588479be8aa4aecf

SHA512
90eab01baadf923b58929738aefd1b982f49443fd33a15f750e98f2c81d2080a28a8c8089380101cfecf52e30f1c5875e1d02b00a5f8025307420523cf6bc3ab

Download Submit
memory/2220-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing